You’ve probably had to enter a six-digit code from an authenticator app when signing in online. That’s known as a time-based one-time password, or TOTP, and it’s an incredibly easy way to enhance the security of your online accounts.

Thanks to their quick 30 to 60-second expiry of these codes, they make it nearly impossible for cybercriminals to access your account even if they manage to steal your passwords. We’ll explore what TOTPs are, how they work, and how they compare with other authentication methods. 

What is TOTP? 

A TOTP is a type of one-time password (OTP) that generates temporary codes using time as a key ingredient. These codes change every 30 to 60 seconds, making it extremely difficult for cybercriminals to compromise. In the unlikely event they somehow discover your code, its short lifespan quickly makes it almost useless to an attacker.

TOTP is a two-factor authentication (2FA) method that adds an extra security layer to your username and password. It’s convenient to use — just generate the code from an authenticator app — and its time-based nature makes it very secure.

How does TOTP work? 

To put it simply, TOTP works by sharing a secret key between the service you’re protecting and your TOTP app. 

When you enable 2FA, you scan a QR code to share the secret key with your TOTP authenticator. TOTP apps are free, and common ones include Google Authenticator and Microsoft Authenticator. If you’re using a secure password manager, it might feature an integrated 2FA authenticator that generates TOTP codes. Proton Pass is one such password manager; it stores your passwords securely and generates your 2FA codes all in one app.

Once the initial setup is complete, the service you’re logging into and the authenticator app sync to independently calculate the same code at the same time using the secret key. When you log in, you’ll be prompted to enter a 2FA code. If the service’s code matches the one you enter, you’ll be logged in.

The differences between TOTP and other one-time passwords

TOTP is just one of several one-time password (OTP) methods. Here’s a quick overview of how TOTP compares against them. You can also find a more extensive guide on the difference between TOTPs, OTPs, and HOTPs

TOTP vs OTP 

OTP is an umbrella term for single-use passwords. TOTP is a type of OTP that uses a time-based model to generate OTP codes. All TOTPs are OTPs, but there are other OTP methods. These include SMS and email codes, and HOTP. Each method has different ways of generating and delivering your OTP code.

TOTP vs HOTP 

HMAC-based one-time passwords (HOTPs) generate a new OTP code only when requested. This means that every code is valid until a new one is generated, which makes them more prone to compromise. TOTP codes automatically refresh after 30 to 60 seconds, so attackers have less time to use stolen codes.

TOTP vs SMS and email codes

SMS and email codes are delivered over cellular and internet networks, which makes them vulnerable to interception. If you’re using poorly secured or compromised networks, attackers could snoop on your activity and obtain your OTP codes. Comparatively, TOTP codes are generated on-device and not transmitted over any network, making them more secure.

The security benefits of TOTP

There are several security benefits that come with using TOTP as your preferred OTP method.

  • Time-limited codes: TOTP codes expire within 30 to 60 seconds before a new code is generated. This gives attackers next to no time to use stolen TOTP codes since expired codes can’t be reused.
  • Interception-proof: TOTP codes are generated on-device. They don’t get transmitted over networks where they could be intercepted due to poor network security.
  • Breach protection: If your password is exposed in a data breach, TOTP codes provide an additional barrier to unauthorized logins. Attackers cannot access your account without your authenticator app.
  • Works on any smartphone: TOTP works right from your smartphone — no need to purchase a hardware token. Just download an authenticator app onto your device, and you’re set.

TOTP offers excellent security, but it isn’t perfect. Losing your device could lock you out of accounts, so always save backup codes. Also, ensure your devices’ clocks automatically sync with the internet, as incorrect time settings are a common cause of TOTP failures.

Secure your accounts with TOTP

TOTP enhances your account security with time-based codes that are superior to other OTP methods. Managing multiple passwords and 2FA codes doesn’t have to be a hassle — just use Proton Pass, a password manager with an integrated TOTP authenticator.

Proton Pass combines password storage and generation with a 2FA authenticator, eliminating app switching when signing in and needing to download extra apps. It saves you precious storage space and makes signing in with 2FA seamless. Everything you store in Proton Pass, including the codes you generate, is protected by powerful end-to-end encryption.

Take login security to the next level — enable TOTP for your accounts and store all your passwords with Proton Pass today.